Cloud Security Technical Reference Architecture, Study notes of Computer Networks

A technical reference architecture for cloud security, coauthored by Cybersecurity and Infrastructure Security Agency, United States Digital Service, and Federal Risk and Authorization Management Program. It covers topics such as cloud service models, FedRAMP, cloud migration, DevSecOps, and cloud security posture management. regularly updated to reflect modern security practices and technologies.

Typology: Study notes

2022/2023

Uploaded on 05/11/2023

uzmaan
uzmaan 🇺🇸

3.1

(9)

215 documents

1 / 70

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Cloud Security
Technical Reference
Architecture
Coauthored by:
Cybersecurity and Infrastructure Security Agency,
United States Digital Service, and
Federal Risk and Authorization Management Program
June 2022
Version 2.0
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46

Partial preview of the text

Download Cloud Security Technical Reference Architecture and more Study notes Computer Networks in PDF only on Docsity!

Cloud Security

Technical Reference

Architecture

Coauthored by:

Cybersecurity and Infrastructure Security Agency,

United States Digital Service, and

Federal Risk and Authorization Management Program

June 2022

Version 2.

i

Revision History

The version number will be updated as the document is modified. This document will be updated as needed to reflect modern security practices and technologies.

Table 1: Revision History

Version Date Revision Description Sections/Pages Affected

1.0 August 2021 Initial Release All

2.0 June 2022 Response to RFC Feedback All

iii

Contributing Authors

Cybersecurity and Infrastructure Security Agency CISA is the operational lead for federal civilian cybersecurity and executes the broader mission to understand and reduce cybersecurity risk ot the nation. In this role, CISA seeks to provide enhanced support for agencies adopting cloud services to improve situational awareness and incident response in cloud environments. CISA is responsible for aiding federal agencies, critical infrastructure, and industry partners as they defend against, respond to, and recover from major cyber attacks.

United States Digital Service The United States Digital Service (USDS) is a senior team of technologists and engineers that support the mission of departments and agencies through technology and design. USDS’s multi-disciplinary teams bring best practices and new approaches to support government modernization efforts. USDS is situated under OMB.

OMB produces the president's budget and examines agency programs, policies, and procedures to assess with the president's policies and coordinates inter-agency policy initiatives. OMB evaluates the effectiveness of agency programs, policies, and procedures, assesses competing funding demands among agencies, and sets funding priorities. OMB also ensures that agency reports, rules, testimony, and proposed legislation are consistent with the president's budget and administration policies. OMB also oversees and coordinates the administration's procurement, financial management, information, and regulatory policies. In each of these areas, OMB's role is to help improve administrative management, develop better performance measures and coordinating mechanisms, and reduce unnecessary burdens on the public.

Federal Risk and Authorization Management Program Established in 2011, FedRAMP provides a cost-effective, risk-based approach for the adoption and use of cloud services by the Federal Government. FedRAMP empowers agencies to use modern cloud technologies, with an emphasis on security and protection of federal information.

FedRAMP is a program under the General Services Administration (GSA), which manages and supports the basic acquisition and procurement functions of federal agencies. GSA supplies products and communications for U.S. government offices, provides transportation and office space to federal employees, and develops government-wide cost-minimizing policies and other management tasks.

iv

Table of Tables

    1. Introduction Table of Contents
    1. Purpose and Scope
    • 2.1 Key Programs and Initiatives
    1. Shared Services Layer...........................................................................................................................
    • 3.1 Cloud Service Models Overview
    • 3.2 Introduction to FedRAMP
    • 3.3 Security Considerations under FedRAMP
    1. Cloud Migration
    • 4.1 Designing Software for the Cloud
    • 4.2 Cloud Migration Strategy............................................................................................................
    • 4.3 Cloud Migration Scenarios
    • 4.4 Developing a DevSecOps Mentality
    • 4.5 Centralizing Common Cloud Services
    • 4.6 The Human Element
    1. Cloud Security Posture Management
    • 5.1 Defining CSPM
    • 5.2 CSPM Outcomes
    • 5.3 Adopting CSPM Capabilities
    1. Conclusion
  • Appendix A – Scenarios
  • Appendix B – Glossary and Acronyms.......................................................................................................
  • Appendix C – Resources
  • Table 2: Common Cloud Migration Challenges Table 1: Revision History i
  • Table 3: Technical Challenges in Cloud Migration
  • Table 4: Benefits to Cloud Migration
  • Table 5: Cloud Migration Strategies
  • Table 6: CSPM Outcomes
  • Figure 1: Cloud Security Technical Reference Architecture Composition and Synergies Table of Figures
  • Figure 2: Responsibilities for Different Service Models
  • Figure 3: Scenario 1 – Notional Phase 1 Architecture
  • Figure 4: Scenario 1 – Phase 2 Notional Architecture with Out-of-Band Data Transfer
  • Figure 5: Scenario 2 – Notional Migration of a Website to a PaaS
  • Figure 6: Scenario 2 – Notional Website with CDN...................................................................................
  • Figure 7: Scenario 2 – Notional Final Architecture of the New Website
  • Figure 8: Scenario 3 – Notional Deployment of SaaS-based Website Monitoring
  • Figure 9: DevSecOps Loop
  • Figure 10: Reference Architecture for a Build System with Security Testing............................................
  • Figure 11: Reference Architecture on Centralized Security Services
  • Figure 12: Service Deployments and Integrated Solutions
  • Figure 13: Authentication Realms
  • Figure 14: PaaS Authentication Example

1. Introduction

Executive Order 14028, “Improving the Nation’s Cybersecurity” (May 12, 2021) 1 marks a renewed commitment and prioritization of federal cybersecurity modernization and strategy. Among other policy mandates, Executive Order 14028 embraces zero trust as the desired model for security and tasks the Cybersecurity and Infrastructure Security Agency (CISA) with modernizing its current cybersecurity programs, services, and capabilities to be fully functional with cloud-computing environments. While Executive Order 14028 marks a shift in federal policy, many efforts undertaken in recent years support the key tenets of this Executive Order. For example:

  • Executive Order 13636, “Improving Critical Infrastructure Cybersecurity” (February 2013) 2 expands information sharing programs such as the Enhanced Cybersecurity Services to provide classified and unclassified cyber threat information to U.S. companies.
  • Executive Order 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” (May 2017) 3 authorizes agencies to leverage the NIST CSF to implement risk management measures for mitigating the risk of unauthorized access to government information technology (IT) assets. Executive Order 13800 also directs agencies to prioritize shared services in IT procurements. In this way, Executive Order 13800 prioritizes effective risk management and IT modernization in equal measure, directing agencies to implement effective protections for data while migrating to cloud environments. Executive Order 13800 places increased emphasis on the importance of the CSF and lays the foundation for more rapid cloud adoption across the Federal government.
  • Executive Order 13873, “Securing the Information and Communications Technology and Services Supply Chain” (May 2019) 4 emphasizes protections for critical infrastructure IT by securing supply chain acquisition. In this way, it highlights the significance of supply chain and IT procurements for government operations and agency mission fulfillment.

These preexisting efforts should continue; however, new leadership, evolving threats, and changing requirements and technologies present an opportunity to enhance existing strategies and architectural approaches. In addition, recent cyber breaches affecting cloud computing environments have had wide- ranging implications and demand a national response. These compromises demonstrate that “business as usual” approaches are no longer acceptable for defending the nation from cyber threats. Furthermore, cloud migration requires cultural changes, priorities, and design approaches that must be embraced, driven, and supported by the entire organization in order to succeed.

This Cloud Security Technical Reference Architecture builds on the initiatives above and supports the continued evolution of federal agencies within a rapidly evolving environment and technology landscape

(^1) Office of Management and Budget, “Executive Order on Improving the Nation’s Cybersecurity,” (2021), https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the- nations-cybersecurity/. (^2) Office of Management and Budget, “Executive Order – Improving Critical Infrastructure Cybersecurity,” (2013), https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-improving-critical- infrastructure-cybersecurity. (^3) Office of Management and Budget, “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” (2017), https://trumpwhitehouse.archives.gov/presidential- actions/presidential-executive-order-strengthening-cybersecurity-federal-networks-critical-infrastructure/. (^4) Office of Management and Budget, “Executive Order on Securing the Information and Communications Technology and Services Supply Chain,” (2019), https://trumpwhitehouse.archives.gov/presidential- actions/executive-order-securing-information-communications-technology-services-supply-chain/.

through a focus on cloud modernization efforts, namely: shared services, designing software in the cloud, and cloud security posture management.

2. Purpose and Scope

The purpose of the Cloud Security Technical Reference Architecture is to guide agencies in a coordinated and deliberate way as they continue to adopt cloud technology. This approach will allow the Federal Government to identify, detect, protect, respond, and recover from cyber incidents, while improving cybersecurity across the .gov enterprise. As outlined in Executive Order 14028, this document seeks to inform agencies of the advantages and inherent risks of adopting cloud-based services as they begin to implement zero trust architectures 5. The Cloud Security Technical Reference Architecture also illustrates recommended approaches to cloud migration and data protection for agency data collection and reporting.

This technical reference architecture is intended to provide guidance to agencies adopting cloud services in the following ways:

  • Cloud Deployment: provides guidance for agencies to securely transition to, deploy, integrate, maintain, and operate cloud services.
  • Adaptable Solutions: provides a flexible and broadly applicable architecture that identifies cloud capabilities and vendor agnostic solutions.
  • Secure Architectures: supports the establishment of cloud environments and secure infrastructures, platforms, and services for agency operations.
  • Development, Security, and Operations (DevSecOps): supports a secure and dynamic development and engineering cycle that prioritizes the design, development, and delivery of capabilities by building, learning, and iterating solutions as agencies transition and evolve.
  • Zero Trust: supports agencies as they plan to adopt zero trust architectures. 6

This technical reference architecture is divided into three major sections:

  • Shared Services: This section covers standardized baselines to evaluate the security of cloud services.
  • Cloud Migration: This section outlines the strategies and considerations of cloud migration, including explanations of common migration scenarios.
  • Cloud Security Posture Management: This section defines Cloud Security Posture Management (CSPM) and enumerates related security tools for monitoring, development, integration, risk assessment, and incident response in cloud environments.

While each major section covers unique aspects of cloud security, they share common synergies that support the overall goal of modernizing cloud security. Understanding the features of shared services and the delineation of responsibilities for managing and securing such services is critical to agencies’ cloud migration and security posture management. Migrating to the cloud can help agencies keep pace with the evolving technology landscape by improving both their operations and their security. Lastly, CSPM capabilities will allow agencies to dynamically protect their cloud resources both at scale and across their infrastructure.

Figure 1 details the composition and commonalities.

(^5) National Institute of Standards and Technology, “NIST Special Publication 800-207: Zero Trust Architecture,” (2020), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf. (^6) Office of Management and Budget, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles,” (2022), https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf.

emphasis with security; for example, the emphasis on building expertise in the federal IT workforce should include prioritizing skill sets and training in cloud computing security architectures.

3. Shared Services Layer

This section introduces shared services and the security implications for agencies and vendors. The section provides an overview on cloud service models and explains how agencies can leverage FedRAMP services to support their cloud migration. It is important to note that the features of the cloud services models described in this section rely on contractual terms set during procurement; cloud acquisition is outside of the scope of this technical reference architecture.

This section will:

  • Define cloud service models: Identify and define cloud service models and how this document uses these definitions in comparison with other authoritative resources.
  • Introduce FedRAMP: Explain FedRAMP and associated roles and responsibilities.
  • Outline security considerations under FedRAMP: Describes FedRAMP requirements for continuous monitoring, incident response, and the authorization boundary.

3.1 Cloud Service Models Overview

There are many options when moving infrastructure, applications, or services into the cloud. Typically, these options are referred to as “aaS” where the “” can be a letter or a series of letters that describes the type of cloud-based offering. NIST has defined three basic cloud service models: SaaS, or Software-as-a- Service; PaaS, or Platform-as-a-Service; and IaaS, or Infrastructure-as-a-Service. 10

  • Software-as-a Service (SaaS): Consumers are users of the provider’s applications running on an underlying cloud infrastructure. Applications are accessible via various client platforms. Consumers do not manage or control the underlying infrastructure.
  • Platform-as-a-Service (PaaS): Consumers have the capability to deploy custom applications using provider-supplied languages, libraries, services, and tools on the cloud infrastructure. Consumers do not manage or control the underlying infrastructure, but they have control over the deployed applications and potentially the configuration settings of the provider-supplied environment that is hosting the application.
  • Infrastructure-as-a-Service (IaaS): Consumers have the capability to provision computing resources to deploy and run environments and applications. Cloud providers manage the underlying infrastructure while the consumers have control over the computing resources, including some control of selected networking components (e.g., host- versus network-based firewall).^11

As cloud has evolved over the years, there is an ever-growing list of other _aaS acronyms for various offerings including Desktop-as-a-Service (DaaS), Security-as-a-Service (SECaaS), Artificial Intelligence- as-a-Service (AIaaS), Container-as-a-Service (CaaS), Disaster Recovery-as-a-Service (DRaaS), Internet of Things-as-a-Service (IOTaaS), Location-a-a-Service (LaaS), Monitoring-as-a-Service (MaaS), Unified

(^10) National Institute of Standards and Technology, “NIST Special Publication 800-145: The NIST Definition of Cloud Computing,” (2011), https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf. (^11) National Institute of Standards and Technology, “NIST Special Publication 800-145: The NIST Definition of Cloud Computing,” (2011), https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf.

Communications-as-a-Service (UCaaS), and Workspace-as-a-Service (WaaS), among others. These additional offerings overlap with the three basic service models and are blurring the delineation between SaaS, PaaS, and IaaS, further complicating responsibilities around maintenance and security.

However, SaaS, PaaS, and IaaS are the most prevalent cloud service models, and each has differences in how they are consumed and protected. This is commonly represented via the shared security model, illustrated in Figure 2. Such models outline which party has responsibility for technology, security, data, etc.

Figure 2: Responsibilities for Different Service Models

The shared security model (Figure 2) shows that the responsibility for securing a SaaS offering relies heavily upon the service provider. However, this also means that the agency consuming the service is placing more trust in the service provider. This contrasts with IaaS, where much responsibility falls on the agency, some responsibility resides with the cloud service provider (CSP), and other responsibilities are shared. CSPs may define this shared security relationship differently from one vendor to the next. Agencies must clearly identify and understand the delineation of responsibilities between themselves and their CSP. Agencies should carefully set up service level agreements (SLA) to define expectations and responsibilities with each of their CSPs. Agencies may find that they need to change their security posture to stay current with their CSP(s) as they update service offerings. Agencies should ensure that they properly understand the security posture of their elected CSP(s) both initially and continuously over time.

Agencies may also use services provided by other agencies, such as a sub-agency using services offered by a parent agency. These services can range from SaaS applications like email to an IaaS environment that the sub-agency is granted access to by the parent agency. In these cases, coordination of roles and responsibilities must be understood between the parent and sub-agency including, but not limited to,

Community: The cloud infrastructure is provisioned to a specific community of consumers that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more organizations, an authorized third party, or some combination of these entities. The infrastructure may exist on or off premises.

Public: The cloud infrastructure is provisioned for use by the general public. It may be owned, managed, and operated by one or more organizations, an authorized third party, or some combination of these entities. The infrastructure exists off-premises.

Hybrid: The cloud infrastructure is a composition of two or more of the above deployment models (i.e., Private, Community, or Public). In this instance, multiple deployment models are connected through a standardized or proprietary technology offered by the provider to maintain compatibility of data and applications. 12

Regarding community cloud, many consider government cloud offerings to be a type of community cloud model. While government cloud deployments may offer some protections beyond public cloud offerings, such as US citizens working at the CSP data center, there may be some disadvantages, too. Typically, CSPs offer new security features and tools first to the public model. It may take weeks, months, or years for these same security features and tools to be offered to government cloud deployments. Also, some features within the tools offered by CSPs in a Public cloud deployment may never be implemented in the associated government deployment. Additionally, government cloud deployments are limited to U.S. regions. Some agencies may require a global reach that is best accomplished through a public cloud deployment.

Multi-Cloud

Agencies are likely to operate in a multi-cloud environment. Agencies operating in a multi-cloud environment need to optimize their environments while maintaining situational awareness and proper security practices in each CSP they operate within. Agencies can choose to protect each of these services as an entity on its own or they may decide to maintain a holistic view of their security posture for all the services they consume. Agencies are encouraged to use tools that provide a holistic view of their application and infrastructure across all CSPs to manage security policy in a centralized way. Agencies also have the choice to use tools that are offered by CSPs and by third-party vendors for security analysis across multiple CSPs. Agencies will want to determine which of these tools best improve their security posture based on their specific needs. Agencies should evaluate the benefits and shortcomings of security tools offered by CSPs and independent tools designed for multi-cloud environments. Where possible, agencies should use security tools that can work across multiple CSPs.

Agencies should evaluate how to best monitor each cloud service they use and maintain situational awareness and proper security practices. It is important to find parity in the security information between the different cloud offerings an agency uses. Data normalization of logs by type will help achieve parity as each of the service offerings will have variations in field names and the number of fields in the logs, they make available. Agencies should determine if they will consolidate logs to a central location for analysis and, if so, which logs and how the logs will be backhauled. Some logs will have a consolidated

(^12) National Institute of Standards and Technology, “NIST Special Publication 800-145: The NIST Definition of Cloud Computing,” (2011), https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf.

location such as authentication logs if using an integrated identity access provider across multiple CSPs. Agencies must be aware of and follow OMB Memorandum (M)-21-31 for log management.^13

When planning to adopt cloud services agencies must determine how they will implement authentication and access management for each service. They must consider the implications associated with where their identity provider will reside (e.g., on-premises, in a CSP—if they have more than one, which CSP will host the identify provider). Agencies should implement the strongest security features wherever possible such as implementing phishing-resistant multi-factor authentication (MFA)^14 ,^15 , and they should consider when to use convenience features like single sign-on.

When operating in a multi-cloud environment, agencies should be cognizant of the potential for vendor lock-in. Vendor lock-in occurs when a tenant has dependencies on services and resources within a CSP. In some cases, choosing to architect solutions that introduce vendor lock-in can provide many advantages. While in other situations, agencies might need to architect solutions with minimal vendor lock-in so that solutions can easily be deployed across different services with minimal changes to configurations and deployment settings.

3.2 Introduction to FedRAMP

FedRAMP was established in 2011 by the OMB Memorandum, “Security Authorization of Information Systems in Cloud Computing Environments,” known as the FedRAMP Memo 16. FedRAMP provides a cost-effective, risk-based approach for the adoption and use of cloud services by the Federal Government. FedRAMP empowers agencies to use modern cloud technologies, with an emphasis on security and protection of federal information. FedRAMP is a government-wide program that promotes the adoption of secure cloud services across the Federal Government by providing a standardized approach to security and risk assessments for cloud technologies and federal agencies. As described in the FedRAMP Memo, FedRAMP is applicable to:

  • Executive departments and agencies procuring commercial and non-commercial cloud services that are provided by information systems that support the operations and assets of the departments and agencies, including systems provided or managed by other departments or agencies, contractors, or other sources.
  • All cloud deployment models (e.g., Public Clouds, Community Clouds, Private Clouds, and Hybrid Clouds) as defined by NIST.
  • All cloud service models (e.g., Infrastructure as a Service, Platform as a Service, and Software as a Service) as defined by NIST.

The FedRAMP Memo further requires each Executive department or agency to:

(^13) “Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents,” Office of Management and Budget, (2021), https://www.whitehouse.gov/wp- content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation- Capabilities-Related-to-Cybersecurity-Incidents.pdf. (^14) Office of Management and Budget, “OMB M-22-09. Moving the U.S. Government Toward Zero Trust Cybersecurity Principles,” (2022), https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf. (^15) In this document, as in OMB M-22-09, “phishing-resistant" authentication refers to authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate System. (^16) Office of Management and Budget, “Security Authorization of Information Systems in Cloud Computing Environments,” (2011), https://www.fedramp.gov/assets/resources/documents/FedRAMP_Policy_Memo.pdf.

  • Agencies will have an improved view into risk management, resulting in better informed decision making while authorizing cloud service products, ultimately enabling their organizations to adopt new services faster.
  • CSPs and Third Party Assessment Organizations (3PAOs) will have automated mechanisms to self-test, develop, submit, and remediate security packages, reducing the level of effort and timeline for authorizations. CSPs will additionally have automated channels to conduct continuous monitoring, resulting in faster resolutions for cybersecurity threats.
  • FedRAMP will receive improved packages at the outset of an authorization lifecycle, resulting in fewer setbacks during the review process. Through automated formats, package reviews will be streamlined, less cumbersome on stakeholders, and result in faster decision making.

FedRAMP’s Stakeholders: Roles and Responsibilities

Four stakeholder groups serve roles in FedRAMP—CSPs, 3PAOs, federal agencies, and the JAB.

Cloud Service Providers The Federal Government is one of the largest buyers of cloud technology, and CSPs offer agencies innovative products that help them save time and resources while meeting their critical mission needs. CSPs who have a Cloud Service Offering (CSO) that is being used by the Federal Government should obtain a FedRAMP Authorization and be committed to understanding FedRAMP, leveraging FedRAMP templates to maintain alignment to and compliance with the shared responsibility requirements established by FedRAMP. FedRAMP provides a standardized security framework for all cloud products and services that is recognized by all Federal Civilian Executive Branch (FCEB) agencies. CSPs only need to go through the FedRAMP Authorization process once for each CSO and perform continuous monitoring of each authorized service. All agencies review the same continuous monitoring deliverables to create efficiency across the government. The FedRAMP PMO provides training, guidance, and advisory support to CSPs, helping them navigate the FedRAMP process and understand the requirements. CSPs providing CSOs for federal consumption should be committed to understanding FedRAMP and leverage FedRAMP templates to maintain alignment to and compliance with the shared responsibility requirements established by FedRAMP.

Third Party Assessment Organizations Third Party Assessment Organizations (3PAOs) play a critical role in the authorization process by assessing the security of a CSO. As independent third parties, they perform initial and periodic assessments of cloud systems based on federal security requirements. The Federal Government uses 3PAO assessments as the basis for making informed, risk-based authorization decisions for the use of cloud products and services. During FedRAMP assessments, 3PAOs produce a Readiness Assessment Report (RAR), which is required for the JAB Authorization process. While an RAR is optional for agency authorizations, it is highly recommended. For both JAB and agency authorizations, 3PAOs produce a Security Assessment Plan (SAP) and Security Assessment Report (SAR). The SAP and SAR must be submitted to a government Authorizing Official (AO) for authorization.

Federal Agencies FedRAMP helps federal agencies use cloud services to securely modernize their technology and support their mission. To do this, agencies use FedRAMP’s standardized baselines to evaluate the security of cloud services. Agencies work with CSPs to review the security posture and authorize the CSO for any cloud services that they wish to use. To establish a consistent approach to federal cloud adoption, agencies and CSOs are encouraged to receive FedRAMP training and to develop system-level security artifacts using FedRAMP templates. Agencies can review and reuse CSO security packages once they are designated as “Authorized” within the FedRAMP Marketplace by issuing their own authorization to use

the product. FedRAMP’s “do once, use many” principle enables agencies to expand the marketplace of secure cloud services available to the Federal Government.

Joint Authorization Board The JAB is the primary governance and decision-making body for FedRAMP. The JAB consists of the Chief Information Officers from the Department of Defense (DoD), the Department of Homeland Security (DHS), and the General Services Administration (GSA). The JAB is responsible for:

  • Defining and regularly updating the FedRAMP security authorization requirements.
  • Approving accreditation criteria for 3PAOs.
  • Reviewing authorization packages for cloud services based on the priority queue.
  • Granting provisional authorizations for cloud services that can be used as an initial approval that Executive departments and agencies leverage in granting security authorizations and an accompanying ATO for use.
  • Ensuring that provisional authorizations are reviewed and updated regularly and notify Executive departments and agencies of any changes to provisional authorizations including removal of such authorizations.
  • Establishing and publishing priority queue requirements for authorization package reviews.

The JAB Charter provides additional details on the objectives and responsibilities of the board.^19

3.3 Security Considerations under FedRAMP

FedRAMP’s role is to provide a standardized approach to security and risk assessment for cloud technologies and federal agencies. Even after authorization, CSPs and agencies should be aware of ongoing security requirements and considerations.

Continuous Monitoring

It is inevitable that the security posture of an agency’s system will change after receiving authorization. This may be due to changes in the hardware or software on the cloud service offering or the discovery of new exploits. Ongoing assessment and authorization provide federal agencies using cloud services a method of detecting changes to the security posture of a system for the purpose of making risk-based decisions. Agencies using cloud environments remain responsible for monitoring portions of the environment that CSPs do not monitor, which is generally covered under separate authorizations (See Section 3.1 for how the layers of the cloud service models work with various roles and responsibilities).

The FedRAMP Continuous Monitoring Strategy Guide describes the FedRAMP strategy for a CSP to use once it has received a FedRAMP Authorization (via agency authorization or JAB provisional authorization). 20 The CSP must continuously monitor the cloud service offering to detect changes in the security posture of the system to enable well-informed risk-based decision making. The guide instructs the CSP on the FedRAMP strategy to continuously monitor their systems. FedRAMP provides additional continuous monitoring guidance documents, such as the FedRAMP Guide for Multi-Agency Continuous Monitoring 21. FedRAMP strongly encourages agencies to leverage this guide in order to share the

(^19) The Federal Risk and Authorization Management Program, “Joint Authorization Board Charter,” (2018), https://www.fedramp.gov/assets/resources/documents/FedRAMP_Joint_Authorization_Board_Charter.pdf. (^20) The Federal Risk and Authorization Management Program, “FedRAMP Continuous Monitoring Strategy Guide,” (2018), https://www.fedramp.gov/assets/resources/documents/CSP_Continuous_Monitoring_Strategy_Guide.pdf. (^21) The Federal Risk and Authorization Management Program, “Agency Guide for Multi-Agency Continuous Monitoring,” (2020), https://www.fedramp.gov/assets/resources/documents/Agency_Guide_for_Multi- Agency_Continuous_Monitoring.pdf.

CSP is responsible for. The authorization boundary is a critical component associated with the NIST

FedRAMP is currently updating the Authorization Boundary Guidance document 26 to reflect changes to cloud computing technology and federal information security policy relevant to FedRAMP. The major changes will include:

Special Publication (SP) 800-37, Guide for Applying the Risk Management Framework (RMF) to Federal Information Systems and OMB circular A-130, Managing Information as a Strategic Resource.

  • Scoping and defining the Authorization Boundary in the cloud;
  • Defining data types, including federal data and federal metadata in the cloud; and
  • Leveraging interconnections, external and corporate services.

FedRAMP does provide U.S./U.S. Territories or geographic locations where there is U.S. jurisdiction requirements for the data centers, but only for the high baseline. For FedRAMP low and moderate baselines, agencies should be aware that there are no implicit or explicit protections for federal agencies that ensures their data will stay only within the US or that their resources will only be established in regions that operate within the US. Agencies must establish these boundaries and expectations with their CSPs and address any Outside the U.S./U.S. Territories or geographic locations where there is U.S. jurisdiction concerns through SLAs or memorandums of understanding (MOUs).

4. Cloud Migration

This section introduces the compute plane and considerations for agencies as they design, implement, and maintain digital services in the cloud. To ensure an efficient and secure transition to cloud services, agencies should:

  • Design software for the cloud: Identify the appropriate services and capabilities to implement from the start to create a secure and efficient cloud environment.
  • Create a cloud migration strategy: Design an agency-specific plan to transition data and services from an on-premises environment to a cloud environment.
  • Adopt a Development, Security, and Operations (DevSecOps) approach: Create reliable automated digital services by utilizing code and integrating support personnel.
  • Centralize Common Cloud Services: Identify CSPs that will be used across the agency and centralize the procurement and administration.
  • Invest in People: Cloud migrations need specialized skills that agencies must cultivate.

4.1 Designing Software for the Cloud

Agencies can utilize the flexibility of the cloud to combine services in support of their mission. Agencies should work to implement security measures into their cloud-based digital services as early as possible in the Software Development Life Cycle (SDLC). Agencies that facilitate DevSecOps with automated security testing will be able to develop architectures that are scalable, repeatable, reliable, and align with zero trust philosophy. This process requires collaboration across agency teams to build digital services. DevSecOps can combine with centralized SaaS, supported by IT departments, to enable security testing of software for release. Cloud-based digital services can span IaaS, PaaS, and SaaS. These service models, along with the on-premises model, vary in who is responsible for different layers of the system

(^26) The Federal Risk and Authorization Management Program, “Requesting Public Comment on FedRAMP Authorization Boundary Guidance,” (2021), https://www.fedramp.gov/blog/2021-07-14-Public-Comment- Boundary-Guidance/.

architecture, as discussed in Section 3. It is imperative for agencies to confirm the services and functions their vendors are providing and are not providing.

Why Shift Software to the Cloud

Agencies moving software and digital services from an on-premises data center to the cloud can produce more reliable, scalable, and predictable software. Cloud services allow agencies to have disaster recovery available in other geographical areas and quickly expand capacity when needed, all without having to purchase another data center. Agencies can initially transition smaller, internal projects and tools to the cloud to gain experience and confidence working in a new environment before attempting to migrate larger services. Shifting to cloud is also an opportunity to redesign older digital services to enable bold progress or modernization.

The cloud offers a long list of well-known benefits; in particular, one that agencies should consider is that building zero-trust architectures, and more secure applications, can be easier in the cloud. CSPs can address aspects of the five zero trust pillars—Identity, Devices, Networks, Applications, and Data—and enable the visibility needed to begin creating cross-pillar interactions 27. By looking for the appropriate FedRAMP approval level for services in the cloud, agencies can typically expedite an ATO easing the migration process. Correctly configuring these services, establishing effective ICAM roles, and protecting sensitive information using encryption provided by a Key Management System (KMS) may be the responsibility of DevSecOps teams or other administrators. Section 5 has additional guidance for Cloud Security Posture Management.

Agencies should consider the security advantages of using APIs (see Section 5.3.8) or data services to securely manage their cloud deployments. Services from CSPs and third-party vendors can provide access to the same data without forcing agencies to build, verify, and maintain complex software. APIs provided by CSPs and others typically have a full staff of developers and other experts who focus solely on these systems. Creating an equivalent team within an agency can be costly and time consuming, drawing resources away from an agency’s mission.

4.2 Cloud Migration Strategy

Cloud migration is the process of moving business operations and missions into the cloud. For many agencies, this means shifting from legacy infrastructure that may no longer support their needs to a modern infrastructure that enjoys the support of a more flexible and more cost-effective solution for an agency's application. Cloud environments inherently involve a shift in mindset from on-premises solutions. Certain cloud functions can operate in ways that on-premises functions cannot, such as infrastructure as code (IaC) concepts. These concepts include dynamic provisioning and decommissioning of resources based on the elasticity of demand on services or temporal-based maintenance to replace portions of infrastructure for security purposes.

Cloud migration involves a lot of preparation and depends on the size of the application ecosystem, the age of the current applications and systems, the user base, and the amount of data. Agencies should consider the age and quantity of data in their application ecosystem; as data accumulates over time, it can pose additional challenges to cloud migration. When agencies decide to migrate their application

(^27) Cybersecurity and Infrastructure Security Agency. “CISA Zero Trust Maturity Model,” (2021), https://www.cisa.gov/sites/default/files/publications/CISA%20Zero%20Trust%20Maturity%20Model_Draft.pdf.